We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

How private is that connected car? US v. EU

Among the fastest growing sectors in the industry of smart things is the connected car. No longer a simple way from point A to point B, cars now comprise a computer, cell phone and camera all rolled into one motorized package. Because these cars collect and transmit significant amounts of data, and can access sensitive information on drivers’ (and passengers’) cell phones, many vehicle owners are asking what lies ahead for their personal privacy.

In the US, several major automakers voluntarily banded together to create the Consumer Privacy Protection Principles For Vehicle Technologies and Services, precepts regulating how automakers collect, use and share sensitive consumer information. The seven principles are (1) transparency; (2) choice; (3) respect for context; (4) data minimization, de-identification and retention; (5) data security; (6) integrity and access; and (7) accountability.

The Principles apply to the collection and use of “Covered Information,” which is information that is (1) collected, generated, recorded or stored in electronic form; (2) on a car or light truck sold or leased to individual consumers for personal use in the US; (3) that is retrieved by or on behalf of an automaker that has signed on to the Principles; and (4) that is identifiable to the vehicle, owner or registered user using a service associated with that vehicle.

Importantly, the Principles apply only to automakers that have signed on to the Principles (Participating Members) and are now binding baseline privacy commitments enforceable against Participating Members through Section 5 of the FTC Act. When a Participating Member engages unaffiliated companies to conduct business on its behalf (such as an auto dealership or call center), the Participating Member commits to taking “reasonable steps” to ensure those companies adhere to the Principles if they will be receiving Covered Information, and the Principles provide Participating Members flexibility in determining which accountability measures may be “reasonable.” For example, contracts with such entities could include audit rights, or a commitment by the unaffiliated companies to comply with the Principles.

A similar approach to vehicle owner privacy is being adopted in the EU. In 2014, the Article 29 Working Party published its Opinion on the Internet of Things (WP 29 Report). The WP 29 Report did not focus on connected cars per se, but the principles it puts forth nonetheless apply.

In essence, the WP 29 Report states that concerns over processing of personal data should not be an obstacle to innovation and seeks to balance technological advancement with personal data safeguards. Because privacy compliance will only grow more complex, the WP 29 Report urges manufacturers to adopt “privacy by design” principles.

For example, cars are already capable of monitoring physical data, such as pulse or breathing rates. But that information constitutes highly regulated sensitive personal data under the EU regime. Manufacturers should address the implications of these legal parameters in the design of cars that will be used in the EU.

Similarly, the global nature of the auto business presents some significant challenges where car-generated data may be transferred outside the EU. Ordinarily, when an individual’s data is being sent outside the EU, the individual must first consent. However, in the context of a connected car, the issue grows thorny: the individual from whom consent must first be obtained may be the vehicle owner, or the driver, or a renter, or a passenger. Manufacturers will need to establish a way of obtaining informed consent from the relevant data subject, which may be challenging if the data subject changes based on who is using the vehicle at any given moment.

Concerns over compliance are particularly urgent because violating the new EU Data Protection Regulation can mean massive fines for a company in breach of its obligations: up to 5 percent of global annual turnover, or €100 million, whichever is the greater. This issue cannot be ignored.

In sum, the connected car goes for a spin in a fluid, rapidly shifting landscape. Automakers, whether selling in the US or the EU, are well advised that bringing the latest technology to market is not enough: they also need to attend to rapidly evolving privacy laws.